Win antivirus pöpö

Viestiketju Virukset ja haittaohjelmat - HijackThis -logit -osiossa. Ketjun avasi Esa84 31.10.2006.

Viestiketjun tila:
Viestiketju on suljettu.
  1. Esa84

    Esa84 Member

    Liittynyt:
    31.10.2006
    Viestejä:
    12
    Kiitokset:
    0
    Pisteet:
    11
    Eli netti pomppii monelle oudolle sivulle. Tuossa logi, jos joku viisaampi osaisi auttaa.

    Logfile of HijackThis v1.99.1
    Scan saved at 18:41:16, on 31.10.2006
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\PROGRA~1\F-Secure\BackWeb\7681197\Program\SERVIC~1.EXE
    C:\Program Files\F-Secure\Anti-Virus\fsgk32st.exe
    C:\Program Files\F-Secure\Anti-Virus\FSGK32.EXE
    C:\Program Files\F-Secure\BackWeb\7681197\program\fsbwsys.exe
    C:\Program Files\F-Secure\BackWeb\7681197\Program\F-Secure Automatic Update.exe
    C:\Program Files\F-Secure\Common\FSMA32.EXE
    C:\WINDOWS\system32\nvsvc32.exe
    C:\Program Files\F-Secure\Common\FSMB32.EXE
    C:\Program Files\F-Secure\Anti-Virus\fssm32.exe
    C:\Program Files\CyberLink\Shared Files\RichVideo.exe
    C:\Program Files\F-Secure\Common\FCH32.EXE
    C:\WINDOWS\system32\slserv.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\F-Secure\Common\FAMEH32.EXE
    C:\Program Files\F-Secure\Anti-Virus\fsqh.exe
    C:\Program Files\F-Secure\Anti-Virus\fsrw.exe
    C:\Program Files\F-Secure\Anti-Virus\fsav32.exe
    C:\Program Files\F-Secure\Common\FNRB32.EXE
    C:\Program Files\F-Secure\Common\FIH32.EXE
    C:\Program Files\F-Secure\FWES\Program\fsdfwd.exe
    C:\WINDOWS\SOUNDMAN.EXE
    C:\WINDOWS\system32\keyhook.exe
    C:\Program Files\D-Tools\daemon.exe
    C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
    C:\Program Files\F-Secure\Common\FSM32.EXE
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\MSN Messenger\MsnMsgr.Exe
    C:\PROGRA~1\F-Secure\ANTI-S~1\fsaw.exe
    C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe
    C:\WINDOWS\system32\sistray.exe
    C:\Program Files\F-Secure\FSGUI\fsguidll.exe
    C:\Program Files\MSN Toolbar Suite\DS\02.05.0001.1119\fi-fi\bin\WindowsSearch.exe
    C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe
    C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHsp.exe
    C:\Program Files\MSN Toolbar Suite\DS\02.05.0001.1119\fi-fi\bin\WindowsSearchIndexer.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Program Files\Symantec\LiveUpdate\AUpdate.exe
    C:\HJT\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = prosearching.com
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = prosearching.com
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchURL = prosearching.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = prosearching.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = prosearching.com
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = prosearching.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchURL = prosearching.com
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.fi/0SEFIFI/SAOS01?FORM=TOOLBR
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = prosearching.com
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = prosearching.com
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = prosearching.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page_bak = prosearching.com
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
    O3 - Toolbar: (no name) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - (no file)
    O3 - Toolbar: MSN Search -työkalurivi - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar Suite\TB\02.05.0000.1105\fi-fi\msntb.dll
    O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
    O3 - Toolbar: &VSToolBar - {821F87FF-8245-4972-9E28-732E92EC2F51} - C:\Program Files\VSToolbar\VSToolBar.dll
    O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
    O4 - HKLM\..\Run: [] C:\WINDOWS\Options\OEMReset.exe /Audit
    O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
    O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
    O4 - HKLM\..\Run: [SiS Windows KeyHook] C:\WINDOWS\system32\keyhook.exe
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
    O4 - HKLM\..\Run: [Microsoft Windows DLL Services Configuration] windir32.exe
    O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
    O4 - HKLM\..\Run: [F-Secure Manager] "C:\Program Files\F-Secure\Common\FSM32.EXE" /splash
    O4 - HKLM\..\Run: [F-Secure TNB] "C:\Program Files\F-Secure\TNB\TNBUtil.exe" /CHECKALL /WAITFORSW
    O4 - HKLM\..\RunServices: [Microsoft Windows DLL Services Configuration] windir32.exe
    O4 - HKCU\..\Run: [Power2GoExpress] NA
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
    O4 - HKCU\..\Run: [Microsoft Windows DLL Services Configuration] windir32.exe
    O4 - Startup: CPRun.lnk = C:\Philips\CPRun.exe
    O4 - Startup: Power2Go Express.lnk = C:\Program Files\CyberLink\Power2Go\Power2GoExpress.exe
    O4 - Global Startup: Bluetooth Manager.lnk = ?
    O4 - Global Startup: F-Secure Automatic Update.lnk = C:\Program Files\F-Secure\BackWeb\7681197\program\F-Secure Automatic Update.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O4 - Global Startup: Utility Tray.lnk = C:\WINDOWS\system32\sistray.exe
    O4 - Global Startup: Windows-työpöytähaku.lnk = C:\Program Files\MSN Toolbar Suite\DS\02.05.0001.1119\fi-fi\bin\WindowsSearch.exe
    O8 - Extra context menu item: &Block this popup - C:\Program Files\F-Secure\Anti-Spyware\blockpopups.htm
    O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
    O8 - Extra context menu item: &MSN Search - res://C:\Program Files\MSN Toolbar Suite\TB\02.05.0000.1105\fi-fi\msntb.dll/search.htm
    O8 - Extra context menu item: Avaa uuteen etuvälilehteen - res://C:\Program Files\MSN Toolbar Suite\TAB\02.05.0000.1105\fi-fi\msntabres.dll/230?f2b9b830cebc4f74b02e62099239d69
    O8 - Extra context menu item: Avaa uuteen taustavälilehteen - res://C:\Program Files\MSN Toolbar Suite\TAB\02.05.0000.1105\fi-fi\msntabres.dll/229?f2b9b830cebc4f74b02e62099239d69
    O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
    O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
    O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
    O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
    O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
    O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
    O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
    O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
    O8 - Extra context menu item: Vie Microsoft E&xceliin - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O9 - Extra button: IE Shield - {300DB664-75B5-47c0-8B45-A44ACCF73C00} - C:\Program Files\F-Secure\Anti-Spyware\ieshield.dll
    O9 - Extra 'Tools' menuitem: IE Shield... - {300DB664-75B5-47c0-8B45-A44ACCF73C00} - C:\Program Files\F-Secure\Anti-Spyware\ieshield.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O10 - Unknown file in Winsock LSP: c:\program files\f-secure\fsps\program\fslsp.dll
    O10 - Unknown file in Winsock LSP: c:\program files\f-secure\fsps\program\fslsp.dll
    O10 - Unknown file in Winsock LSP: c:\program files\f-secure\fsps\program\fslsp.dll
    O15 - Trusted Zone: http://locator.cdn.imageservr.com
    O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/WebsiteAccess/ie/bridge-c11.cab
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
    O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
    O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/msnmessengersetupdownloader.cab
    O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
    O23 - Service: F-Secure Automatic Update (BackWeb Plug-in - 7681197) - F-Secure Automatic Update - C:\PROGRA~1\F-Secure\BackWeb\7681197\Program\SERVIC~1.EXE
    O23 - Service: FSGKHS (F-Secure Gatekeeper Handler Starter) - F-Secure Corp. - C:\Program Files\F-Secure\Anti-Virus\fsgk32st.exe
    O23 - Service: F-Secure Network Request Broker - F-Secure Corporation - C:\Program Files\F-Secure\Common\FNRB32.EXE
    O23 - Service: fsbwsys - F-Secure Corp. - C:\Program Files\F-Secure\BackWeb\7681197\program\fsbwsys.exe
    O23 - Service: F-Secure Anti-Virus Firewall Daemon (FSDFWD) - F-Secure Corporation - C:\Program Files\F-Secure\FWES\Program\fsdfwd.exe
    O23 - Service: F-Secure Management Agent (FSMA) - F-Secure Corporation - C:\Program Files\F-Secure\Common\FSMA32.EXE
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
    O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
    O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe
     
    Esa84, 31.10.2006
    #1
  2.  
  3. Daniii

    Daniii Regular member

    Liittynyt:
    11.05.2006
    Viestejä:
    120
    Kiitokset:
    0
    Pisteet:
    26
    Lataa SmitfraudFix (c) S!Ri
    http://siri.urz.free.fr/Fix/SmitfraudFix.zip
    Pura sisältö (kansio nimeltä SmitfraudFix) työpöydällesi:

    Avaa SmitfraudFix kansio ja tupla-klikkaa smitfraudfix.cmd
    Valitse optio #1 - Search kirjoittamalla 1 ja painamalla "Enter"; tekstitiedosto avautuu, joka listaa tarttuneet tiedostot (jos olemassa).
    Postita tämän tekstitiedoston sisältö viestiketjuusi.
     
    Daniii, 01.11.2006
    #2
  4. Esa84

    Esa84 Member

    Liittynyt:
    31.10.2006
    Viestejä:
    12
    Kiitokset:
    0
    Pisteet:
    11
    SmitFraudFix v2.117

    Scan done at 17:57:40,29, ke 01.11.2006
    Run from C:\Documents and Settings\Esa\Ty”p”yt„\SmitfraudFix
    OS: Microsoft Windows XP [versio 5.1.2600] - Windows_NT
    Fix run in normal mode

    »»»»»»»»»»»»»»»»»»»»»»»» C:\


    »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS


    »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system


    »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web


    »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32

    C:\WINDOWS\system32\ld???.tmp FOUND !
    C:\WINDOWS\system32\ld????.tmp FOUND !
    C:\WINDOWS\system32\ot.ico FOUND !
    C:\WINDOWS\system32\ts.ico FOUND !
    C:\WINDOWS\system32\1024\ FOUND !

    »»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Esa


    »»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Esa\Application Data


    »»»»»»»»»»»»»»»»»»»»»»»» Start Menu

    C:\DOCUME~1\ALLUSE~1\KYNNIS~1\Online Security Guide.url FOUND !
    C:\DOCUME~1\ALLUSE~1\KYNNIS~1\Security Troubleshooting.url FOUND !

    »»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\Esa\Suosikit

    C:\DOCUME~1\Esa\Suosikit\Antivirus Test Online.url FOUND !

    »»»»»»»»»»»»»»»»»»»»»»»» Desktop


    »»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files


    »»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys


    »»»»»»»»»»»»»»»»»»»»»»»» Desktop Components

    [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
    "Source"="About:Home"
    "SubscribedURL"="About:Home"
    "FriendlyName"="Nykyinen kotisivu"


    »»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
    !!!Attention, following keys are not inevitably infected!!!

    SrchSTS.exe by S!Ri
    Search SharedTaskScheduler's .dll

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
    "{7916f057-223f-4612-ac84-e882cbe043d4}"="bals"



    »»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
    !!!Attention, following keys are not inevitably infected!!!

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
    "AppInit_DLLs"=""


    »»»»»»»»»»»»»»»»»»»»»»»» pe386-msguard-lzx32


    »»»»»»»»»»»»»»»»»»»»»»»» Scanning wininet.dll infection


    »»»»»»»»»»»»»»»»»»»»»»»» End

     
    Esa84, 01.11.2006
    #3
  5. Daniii

    Daniii Regular member

    Liittynyt:
    11.05.2006
    Viestejä:
    120
    Kiitokset:
    0
    Pisteet:
    26
    Printtaa ohjeet ulos.

    Käynnistä koneesi vikasietotilaan ja valitse tavallinen käyttäjätilisi.

    Kun vikasietotilassa, avaa SmitfraudFix kansio ja tupla-klikkaa smitfraudfix.cmd
    Valitse optio #2 - Clean kirjoittamalla 2 ja painamalla "Enter" poistaaksesi tarttuneet tiedostot.

    Sinulta kysytään: "Registry cleaning - Do you want to clean the registry ?"; vastaa "Yes" kirjoittamalla Y ja paina "Enter" poistaaksesi työpöydän taustakuvan ja puhdistaaksesi tarttuneet rekisteriavaimet.

    Työkalu tarkistaa jos wininet.dll on tarttunut. Sinua saatetaan pyytää korvaamaan tarttunut .dll (jos löytyy); vastaa "Yes" kirjoittamalla Y ja painamalla "Enter".

    Työkalun saattaa tarvita käynnistää kone uudelleen; jos ei tee niin, käynnistä normaaliin Windowsiin.
    Tekstitiedosto ilmestyy, puhdistusprosessin jäljiltä; kopioi & liitä tämän raportin tulokset vastaukseesi.
    Raportti löytyy paikalliselta levyltäsi, useimmiten C:\rapport.txt.
     
    Daniii, 01.11.2006
    #4
  6. Esa84

    Esa84 Member

    Liittynyt:
    31.10.2006
    Viestejä:
    12
    Kiitokset:
    0
    Pisteet:
    11
    Sellanen ongelma ois vielä että koneeni ei suostu jäämään vikasietotilaan. Olen koittanut painaa F8 näppäintä monessakin kohtaa, mutta kone vaan hyppää windowsiin. Olisko tietoa tästä..?
    Mutta kuitenkin suuri kiitos avustasi!
     
    Esa84, 01.11.2006
    #5
  7. Daniii

    Daniii Regular member

    Liittynyt:
    11.05.2006
    Viestejä:
    120
    Kiitokset:
    0
    Pisteet:
    26
    koitas räpytellä koneen käynnistyessä f5 -näppäintä, niilläkin voi päästä valikkoon josta pääset valitsemaan vikasietotila. Jos tämäkään ei auta niin mene Käynnistä (Start) --> Suorita (Run) kirjoita Avaa: -riville msconfig, valitse välilehti boot.ini ja sieltä pistä ruksi /safeboot eteen.

    Heitä ruksi avautuvaan ikkunaan kun windows käynnistyy (muistaakseni koski jotenkin järjestelmän kokoonpanosovellusta tjs.)

    Ota ruksi pois kohdasta kun olet saanut homman suoritettua.
     
    Viimeksi muokattu: 01.11.2006
    Daniii, 01.11.2006
    #6
  8. Esa84

    Esa84 Member

    Liittynyt:
    31.10.2006
    Viestejä:
    12
    Kiitokset:
    0
    Pisteet:
    11
    Jes! F5:lla siirty valikkoon ja pääsin vikasietotilaan. Homma toimi kuin junan vessa ja mielestäni pöpöt on poistettu! Tuossa vielä toi rapport:

    SmitFraudFix v2.117

    Scan done at 19:01:45,03, ke 01.11.2006
    Run from C:\Documents and Settings\Esa\Ty”p”yt„\SmitfraudFix
    OS: Microsoft Windows XP [versio 5.1.2600] - Windows_NT
    Fix run in safe mode

    »»»»»»»»»»»»»»»»»»»»»»»» Before SmitFraudFix
    !!!Attention, following keys are not inevitably infected!!!

    SrchSTS.exe by S!Ri
    Search SharedTaskScheduler's .dll

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
    "{7916f057-223f-4612-ac84-e882cbe043d4}"="bals"


    »»»»»»»»»»»»»»»»»»»»»»»» Killing process


    »»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

    GenericRenosFix by S!Ri


    »»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files

    C:\WINDOWS\system32\ld???.tmp Deleted
    C:\WINDOWS\system32\ot.ico Deleted
    C:\WINDOWS\system32\ts.ico Deleted
    C:\WINDOWS\system32\1024\ Deleted
    C:\DOCUME~1\Esa\Suosikit\Antivirus Test Online.url Deleted
    C:\DOCUME~1\ALLUSE~1\KYNNIS~1\Online Security Guide.url Deleted
    C:\DOCUME~1\ALLUSE~1\KYNNIS~1\Security Troubleshooting.url Deleted

    »»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files


    »»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

    Registry Cleaning done.

    »»»»»»»»»»»»»»»»»»»»»»»» After SmitFraudFix
    !!!Attention, following keys are not inevitably infected!!!

    SrchSTS.exe by S!Ri
    Search SharedTaskScheduler's .dll


    »»»»»»»»»»»»»»»»»»»»»»»» End

     
    Esa84, 01.11.2006
    #7
  9. Daniii

    Daniii Regular member

    Liittynyt:
    11.05.2006
    Viestejä:
    120
    Kiitokset:
    0
    Pisteet:
    26
    Eipäs hätäillä vielä, näen logissasi lisää roskaa, tehdäämpäs näin:

    Lataa VundoFix.exe työpöydällesi.
    http://www.atribune.org/ccount/click.php?id=4

    * Tupla-klikkaa VundoFix.exe ajaaksesi sen.
    * Klikkaa Scan for Vundo valintaa.
    * Kun skannaus on valmis, klikkaa Remove Vundo valintaa.
    * Sinulta kysytään haluatko poistaa filut - klikkaa YES.
    * Kun olet klikannut yes, työpöytäsi tyhjenee kun se alkaa poistamaan Vundoa.
    * Kun se on valmis, fiksi ilmoittaa käynnistäväsi koneesi uudelleen, klikkaa OK.
    * Postita C:\vundofix.txt lokin sekä tuoreen HijackThis lokin sisältö.
     
    Daniii, 01.11.2006
    #8
  10. Esa84

    Esa84 Member

    Liittynyt:
    31.10.2006
    Viestejä:
    12
    Kiitokset:
    0
    Pisteet:
    11
    VundoFix V6.2.6

    Checking Java version...

    Java version is 1.5.0.9

    Scan started at 21:44:02 1.11.2006

    Listing files found while scanning....

    C:\WINDOWS\system32\ihprhymo.exe
    C:\WINDOWS\system32\wkdsbejy.exe
    C:\WINDOWS\inf\untahrd.dll
    C:\WINDOWS\inf\drhatnu.ini
    C:\WINDOWS\inf\drhatnu.bak1
    C:\WINDOWS\inf\drhatnu.bak2

    Beginning removal...

    Attempting to delete C:\WINDOWS\system32\ihprhymo.exe
    C:\WINDOWS\system32\ihprhymo.exe Has been deleted!

    Attempting to delete C:\WINDOWS\system32\wkdsbejy.exe
    C:\WINDOWS\system32\wkdsbejy.exe Has been deleted!

    Attempting to delete C:\WINDOWS\inf\untahrd.dll
    C:\WINDOWS\inf\untahrd.dll Has been deleted!

    Attempting to delete C:\WINDOWS\inf\drhatnu.ini
    C:\WINDOWS\inf\drhatnu.ini Has been deleted!

    Attempting to delete C:\WINDOWS\inf\drhatnu.bak1
    C:\WINDOWS\inf\drhatnu.bak1 Has been deleted!

    Attempting to delete C:\WINDOWS\inf\drhatnu.bak2
    C:\WINDOWS\inf\drhatnu.bak2 Has been deleted!

    Performing Repairs to the registry.
    Done!


    Logfile of HijackThis v1.99.1
    Scan saved at 21:54:40, on 1.11.2006
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\PROGRA~1\F-Secure\BackWeb\7681197\Program\SERVIC~1.EXE
    C:\WINDOWS\SOUNDMAN.EXE
    C:\Program Files\F-Secure\Anti-Virus\fsgk32st.exe
    C:\WINDOWS\system32\keyhook.exe
    C:\Program Files\D-Tools\daemon.exe
    C:\Program Files\F-Secure\Anti-Virus\FSGK32.EXE
    C:\Program Files\F-Secure\BackWeb\7681197\program\fsbwsys.exe
    C:\Program Files\F-Secure\Common\FSMA32.EXE
    C:\Program Files\F-Secure\BackWeb\7681197\Program\F-Secure Automatic Update.exe
    C:\Program Files\F-Secure\Common\FSM32.EXE
    C:\Program Files\F-Secure\Common\FSMB32.EXE
    C:\WINDOWS\system32\nvsvc32.exe
    C:\Program Files\F-Secure\Anti-Virus\fssm32.exe
    C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\CyberLink\Shared Files\RichVideo.exe
    C:\Program Files\MSN Messenger\MsnMsgr.Exe
    C:\Program Files\F-Secure\Common\FCH32.EXE
    C:\WINDOWS\system32\slserv.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe
    C:\WINDOWS\system32\sistray.exe
    C:\Program Files\F-Secure\Common\FAMEH32.EXE
    C:\Program Files\F-Secure\Anti-Virus\fsqh.exe
    C:\Program Files\MSN Toolbar Suite\DS\02.05.0001.1119\fi-fi\bin\WindowsSearch.exe
    C:\Program Files\CyberLink\Power2Go\Power2GoExpress.exe
    C:\Program Files\F-Secure\Anti-Virus\fsrw.exe
    C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe
    C:\Program Files\MSN Toolbar Suite\DS\02.05.0001.1119\fi-fi\bin\WindowsSearchIndexer.exe
    C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHsp.exe
    C:\Program Files\F-Secure\Common\FNRB32.EXE
    C:\Program Files\F-Secure\Common\FIH32.EXE
    C:\Program Files\F-Secure\FWES\Program\fsdfwd.exe
    C:\Program Files\F-Secure\Anti-Virus\fsav32.exe
    C:\PROGRA~1\F-Secure\ANTI-S~1\fsaw.exe
    C:\Program Files\F-Secure\FSGUI\fsguidll.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\HJT\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchURL = prosearching.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchURL = prosearching.com
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = prosearching.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page_bak = prosearching.com
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {1DAEFCB9-06C8-47c6-8F20-3FB54B244DAA} - (no file)
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
    O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - (no file)
    O2 - BHO: MSN Search -työkalurivi Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar Suite\TB\02.05.0000.1105\fi-fi\msntb.dll
    O2 - BHO: (no name) - {EEB680C2-FD7D-4CEA-9C88-413740E08538} - C:\WINDOWS\inf\untahrd.dll (file missing)
    O3 - Toolbar: (no name) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - (no file)
    O3 - Toolbar: MSN Search -työkalurivi - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar Suite\TB\02.05.0000.1105\fi-fi\msntb.dll
    O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
    O3 - Toolbar: &VSToolBar - {821F87FF-8245-4972-9E28-732E92EC2F51} - C:\Program Files\VSToolbar\VSToolBar.dll
    O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
    O4 - HKLM\..\Run: [] C:\WINDOWS\Options\OEMReset.exe /Audit
    O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
    O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
    O4 - HKLM\..\Run: [SiS Windows KeyHook] C:\WINDOWS\system32\keyhook.exe
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
    O4 - HKLM\..\Run: [Microsoft Windows DLL Services Configuration] windir32.exe
    O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
    O4 - HKLM\..\Run: [F-Secure Manager] "C:\Program Files\F-Secure\Common\FSM32.EXE" /splash
    O4 - HKLM\..\Run: [F-Secure TNB] "C:\Program Files\F-Secure\TNB\TNBUtil.exe" /CHECKALL /WAITFORSW
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
    O4 - HKLM\..\RunServices: [Microsoft Windows DLL Services Configuration] windir32.exe
    O4 - HKCU\..\Run: [Power2GoExpress] NA
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
    O4 - HKCU\..\Run: [Microsoft Windows DLL Services Configuration] windir32.exe
    O4 - Startup: CPRun.lnk = C:\Philips\CPRun.exe
    O4 - Startup: Power2Go Express.lnk = C:\Program Files\CyberLink\Power2Go\Power2GoExpress.exe
    O4 - Global Startup: Bluetooth Manager.lnk = ?
    O4 - Global Startup: F-Secure Automatic Update.lnk = C:\Program Files\F-Secure\BackWeb\7681197\program\F-Secure Automatic Update.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O4 - Global Startup: Utility Tray.lnk = C:\WINDOWS\system32\sistray.exe
    O4 - Global Startup: Windows-työpöytähaku.lnk = C:\Program Files\MSN Toolbar Suite\DS\02.05.0001.1119\fi-fi\bin\WindowsSearch.exe
    O8 - Extra context menu item: &Block this popup - C:\Program Files\F-Secure\Anti-Spyware\blockpopups.htm
    O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
    O8 - Extra context menu item: &MSN Search - res://C:\Program Files\MSN Toolbar Suite\TB\02.05.0000.1105\fi-fi\msntb.dll/search.htm
    O8 - Extra context menu item: Avaa uuteen etuvälilehteen - res://C:\Program Files\MSN Toolbar Suite\TAB\02.05.0000.1105\fi-fi\msntabres.dll/230?f2b9b830cebc4f74b02e62099239d69
    O8 - Extra context menu item: Avaa uuteen taustavälilehteen - res://C:\Program Files\MSN Toolbar Suite\TAB\02.05.0000.1105\fi-fi\msntabres.dll/229?f2b9b830cebc4f74b02e62099239d69
    O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
    O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
    O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
    O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
    O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
    O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
    O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
    O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
    O8 - Extra context menu item: Vie Microsoft E&xceliin - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
    O9 - Extra button: IE Shield - {300DB664-75B5-47c0-8B45-A44ACCF73C00} - C:\Program Files\F-Secure\Anti-Spyware\ieshield.dll
    O9 - Extra 'Tools' menuitem: IE Shield... - {300DB664-75B5-47c0-8B45-A44ACCF73C00} - C:\Program Files\F-Secure\Anti-Spyware\ieshield.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O10 - Unknown file in Winsock LSP: c:\program files\f-secure\fsps\program\fslsp.dll
    O10 - Unknown file in Winsock LSP: c:\program files\f-secure\fsps\program\fslsp.dll
    O10 - Unknown file in Winsock LSP: c:\program files\f-secure\fsps\program\fslsp.dll
    O15 - Trusted Zone: http://locator.cdn.imageservr.com
    O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/WebsiteAccess/ie/bridge-c11.cab
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
    O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
    O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/msnmessengersetupdownloader.cab
    O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
    O20 - Winlogon Notify: winigd32 - winigd32.dll (file missing)
    O23 - Service: F-Secure Automatic Update (BackWeb Plug-in - 7681197) - F-Secure Automatic Update - C:\PROGRA~1\F-Secure\BackWeb\7681197\Program\SERVIC~1.EXE
    O23 - Service: FSGKHS (F-Secure Gatekeeper Handler Starter) - F-Secure Corp. - C:\Program Files\F-Secure\Anti-Virus\fsgk32st.exe
    O23 - Service: F-Secure Network Request Broker - F-Secure Corporation - C:\Program Files\F-Secure\Common\FNRB32.EXE
    O23 - Service: fsbwsys - F-Secure Corp. - C:\Program Files\F-Secure\BackWeb\7681197\program\fsbwsys.exe
    O23 - Service: F-Secure Anti-Virus Firewall Daemon (FSDFWD) - F-Secure Corporation - C:\Program Files\F-Secure\FWES\Program\fsdfwd.exe
    O23 - Service: F-Secure Management Agent (FSMA) - F-Secure Corporation - C:\Program Files\F-Secure\Common\FSMA32.EXE
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
    O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
    O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe

     
    Esa84, 01.11.2006
    #9
  11. Daniii

    Daniii Regular member

    Liittynyt:
    11.05.2006
    Viestejä:
    120
    Kiitokset:
    0
    Pisteet:
    26
    Poista ohjauspaneelin lisää tai poista sovelluksella:

    VSToolbar

    Avaa hjt klikkaa do a system scan only ja merkitse seuraavat:
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchURL = prosearching.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchURL = prosearching.com
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = prosearching.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page_bak = prosearching.com
    O2 - BHO: (no name) - {1DAEFCB9-06C8-47c6-8F20-3FB54B244DAA} - (no file)
    O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - (no file)
    O2 - BHO: (no name) - {EEB680C2-FD7D-4CEA-9C88-413740E08538} - C:\WINDOWS\inf\untahrd.dll (file missing)
    O3 - Toolbar: (no name) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - (no file)
    O3 - Toolbar: &VSToolBar - {821F87FF-8245-4972-9E28-732E92EC2F51} - C:\Program Files\VSToolbar\VSToolBar.dll
    O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
    O4 - HKLM\..\RunServices: [Microsoft Windows DLL Services Configuration] windir32.exe
    O4 - HKCU\..\Run: [Microsoft Windows DLL Services Configuration] windir32.exe
    O15 - Trusted Zone: http://locator.cdn.imageservr.com
    O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/WebsiteAccess/ie/bridge-c11.cab
    O20 - Winlogon Notify: winigd32 - winigd32.dll (file missing)

    ... ja paina fix checked.

    Vaihda vielä ton hijackthis.exe:n nimi scanner.exe:ksi ja lähetä uusi hjt-logi, niin varmistutaan että vundo on kokonaan poissa.

     
    Viimeksi muokattu: 01.11.2006
    Daniii, 01.11.2006
    #10
  12. Esa84

    Esa84 Member

    Liittynyt:
    31.10.2006
    Viestejä:
    12
    Kiitokset:
    0
    Pisteet:
    11
    Logfile of HijackThis v1.99.1
    Scan saved at 22:38:17, on 1.11.2006
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\PROGRA~1\F-Secure\BackWeb\7681197\Program\SERVIC~1.EXE
    C:\WINDOWS\SOUNDMAN.EXE
    C:\Program Files\F-Secure\Anti-Virus\fsgk32st.exe
    C:\WINDOWS\system32\keyhook.exe
    C:\Program Files\D-Tools\daemon.exe
    C:\Program Files\F-Secure\Anti-Virus\FSGK32.EXE
    C:\Program Files\F-Secure\BackWeb\7681197\program\fsbwsys.exe
    C:\Program Files\F-Secure\Common\FSMA32.EXE
    C:\Program Files\F-Secure\BackWeb\7681197\Program\F-Secure Automatic Update.exe
    C:\Program Files\F-Secure\Common\FSM32.EXE
    C:\Program Files\F-Secure\Common\FSMB32.EXE
    C:\WINDOWS\system32\nvsvc32.exe
    C:\Program Files\F-Secure\Anti-Virus\fssm32.exe
    C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\CyberLink\Shared Files\RichVideo.exe
    C:\Program Files\MSN Messenger\MsnMsgr.Exe
    C:\Program Files\F-Secure\Common\FCH32.EXE
    C:\WINDOWS\system32\slserv.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe
    C:\WINDOWS\system32\sistray.exe
    C:\Program Files\F-Secure\Common\FAMEH32.EXE
    C:\Program Files\F-Secure\Anti-Virus\fsqh.exe
    C:\Program Files\MSN Toolbar Suite\DS\02.05.0001.1119\fi-fi\bin\WindowsSearch.exe
    C:\Program Files\CyberLink\Power2Go\Power2GoExpress.exe
    C:\Program Files\F-Secure\Anti-Virus\fsrw.exe
    C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe
    C:\Program Files\MSN Toolbar Suite\DS\02.05.0001.1119\fi-fi\bin\WindowsSearchIndexer.exe
    C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHsp.exe
    C:\Program Files\F-Secure\Common\FNRB32.EXE
    C:\Program Files\F-Secure\Common\FIH32.EXE
    C:\Program Files\F-Secure\FWES\Program\fsdfwd.exe
    C:\Program Files\F-Secure\Anti-Virus\fsav32.exe
    C:\PROGRA~1\F-Secure\ANTI-S~1\fsaw.exe
    C:\Program Files\F-Secure\FSGUI\fsguidll.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\HJT\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
    O2 - BHO: MSN Search -työkalurivi Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar Suite\TB\02.05.0000.1105\fi-fi\msntb.dll
    O3 - Toolbar: MSN Search -työkalurivi - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar Suite\TB\02.05.0000.1105\fi-fi\msntb.dll
    O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
    O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
    O4 - HKLM\..\Run: [] C:\WINDOWS\Options\OEMReset.exe /Audit
    O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
    O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
    O4 - HKLM\..\Run: [SiS Windows KeyHook] C:\WINDOWS\system32\keyhook.exe
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
    O4 - HKLM\..\Run: [Microsoft Windows DLL Services Configuration] windir32.exe
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
    O4 - HKLM\..\Run: [F-Secure Manager] "C:\Program Files\F-Secure\Common\FSM32.EXE" /splash
    O4 - HKLM\..\Run: [F-Secure TNB] "C:\Program Files\F-Secure\TNB\TNBUtil.exe" /CHECKALL /WAITFORSW
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
    O4 - HKCU\..\Run: [Power2GoExpress] NA
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
    O4 - Startup: CPRun.lnk = C:\Philips\CPRun.exe
    O4 - Startup: Power2Go Express.lnk = C:\Program Files\CyberLink\Power2Go\Power2GoExpress.exe
    O4 - Global Startup: Bluetooth Manager.lnk = ?
    O4 - Global Startup: F-Secure Automatic Update.lnk = C:\Program Files\F-Secure\BackWeb\7681197\program\F-Secure Automatic Update.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O4 - Global Startup: Utility Tray.lnk = C:\WINDOWS\system32\sistray.exe
    O4 - Global Startup: Windows-työpöytähaku.lnk = C:\Program Files\MSN Toolbar Suite\DS\02.05.0001.1119\fi-fi\bin\WindowsSearch.exe
    O8 - Extra context menu item: &Block this popup - C:\Program Files\F-Secure\Anti-Spyware\blockpopups.htm
    O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
    O8 - Extra context menu item: &MSN Search - res://C:\Program Files\MSN Toolbar Suite\TB\02.05.0000.1105\fi-fi\msntb.dll/search.htm
    O8 - Extra context menu item: Avaa uuteen etuvälilehteen - res://C:\Program Files\MSN Toolbar Suite\TAB\02.05.0000.1105\fi-fi\msntabres.dll/230?f2b9b830cebc4f74b02e62099239d69
    O8 - Extra context menu item: Avaa uuteen taustavälilehteen - res://C:\Program Files\MSN Toolbar Suite\TAB\02.05.0000.1105\fi-fi\msntabres.dll/229?f2b9b830cebc4f74b02e62099239d69
    O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
    O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
    O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
    O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
    O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
    O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
    O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
    O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
    O8 - Extra context menu item: Vie Microsoft E&xceliin - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
    O9 - Extra button: IE Shield - {300DB664-75B5-47c0-8B45-A44ACCF73C00} - C:\Program Files\F-Secure\Anti-Spyware\ieshield.dll
    O9 - Extra 'Tools' menuitem: IE Shield... - {300DB664-75B5-47c0-8B45-A44ACCF73C00} - C:\Program Files\F-Secure\Anti-Spyware\ieshield.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O10 - Unknown file in Winsock LSP: c:\program files\f-secure\fsps\program\fslsp.dll
    O10 - Unknown file in Winsock LSP: c:\program files\f-secure\fsps\program\fslsp.dll
    O10 - Unknown file in Winsock LSP: c:\program files\f-secure\fsps\program\fslsp.dll
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
    O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
    O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/msnmessengersetupdownloader.cab
    O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
    O23 - Service: F-Secure Automatic Update (BackWeb Plug-in - 7681197) - F-Secure Automatic Update - C:\PROGRA~1\F-Secure\BackWeb\7681197\Program\SERVIC~1.EXE
    O23 - Service: FSGKHS (F-Secure Gatekeeper Handler Starter) - F-Secure Corp. - C:\Program Files\F-Secure\Anti-Virus\fsgk32st.exe
    O23 - Service: F-Secure Network Request Broker - F-Secure Corporation - C:\Program Files\F-Secure\Common\FNRB32.EXE
    O23 - Service: fsbwsys - F-Secure Corp. - C:\Program Files\F-Secure\BackWeb\7681197\program\fsbwsys.exe
    O23 - Service: F-Secure Anti-Virus Firewall Daemon (FSDFWD) - F-Secure Corporation - C:\Program Files\F-Secure\FWES\Program\fsdfwd.exe
    O23 - Service: F-Secure Management Agent (FSMA) - F-Secure Corporation - C:\Program Files\F-Secure\Common\FSMA32.EXE
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
    O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
    O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe

     
    Esa84, 01.11.2006
    #11
  13. Daniii

    Daniii Regular member

    Liittynyt:
    11.05.2006
    Viestejä:
    120
    Kiitokset:
    0
    Pisteet:
    26
    Daniii, 01.11.2006
    #12
  14. Esa84

    Esa84 Member

    Liittynyt:
    31.10.2006
    Viestejä:
    12
    Kiitokset:
    0
    Pisteet:
    11
    AVG Anti-Spyware - Scan Report
    ---------------------------------------------------------

    + Created at: 17:30:22 2.11.2006

    + Scan result:



    HKU\S-1-5-21-1386753483-3632271252-2160498051-1007\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{2D38A51A-23C9-48A1-A33C-48675AA2B494} -> Adware.Generic : No action taken.
    C:\System Volume Information\_restore{28F2FB3A-021C-425C-B067-E02C7D9E6A88}\RP508\A0038973.exe -> Adware.Searchcolor : No action taken.
    C:\VundoFix Backups\ihprhymo.exe.bad -> Adware.Searchcolor : No action taken.
    C:\WINDOWS\system32\hdwqjkdx.exe -> Adware.Searchcolor : No action taken.
    C:\System Volume Information\_restore{28F2FB3A-021C-425C-B067-E02C7D9E6A88}\RP492\A0037223.dll -> Adware.Searchcolours : No action taken.
    C:\HJT\backups\backup-20061101-223709-326.dll -> Adware.WinAD : No action taken.
    C:\System Volume Information\_restore{28F2FB3A-021C-425C-B067-E02C7D9E6A88}\RP448\A0033953.0ll -> Logger.VBStat.e : No action taken.
    C:\System Volume Information\_restore{28F2FB3A-021C-425C-B067-E02C7D9E6A88}\RP448\A0033954.0ll -> Logger.VBStat.e : No action taken.
    C:\System Volume Information\_restore{28F2FB3A-021C-425C-B067-E02C7D9E6A88}\RP467\A0035189.0ll -> Logger.VBStat.e : No action taken.
    C:\System Volume Information\_restore{28F2FB3A-021C-425C-B067-E02C7D9E6A88}\RP467\A0035190.0ll -> Logger.VBStat.e : No action taken.
    C:\System Volume Information\_restore{28F2FB3A-021C-425C-B067-E02C7D9E6A88}\RP467\A0035191.0ll -> Logger.VBStat.e : No action taken.
    C:\System Volume Information\_restore{28F2FB3A-021C-425C-B067-E02C7D9E6A88}\RP467\A0035192.0ll -> Logger.VBStat.e : No action taken.
    C:\System Volume Information\_restore{28F2FB3A-021C-425C-B067-E02C7D9E6A88}\RP467\A0035193.0ll -> Logger.VBStat.e : No action taken.
    C:\System Volume Information\_restore{28F2FB3A-021C-425C-B067-E02C7D9E6A88}\RP467\A0035194.0ll -> Logger.VBStat.e : No action taken.
    C:\System Volume Information\_restore{28F2FB3A-021C-425C-B067-E02C7D9E6A88}\RP467\A0035195.0ll -> Logger.VBStat.e : No action taken.
    C:\System Volume Information\_restore{28F2FB3A-021C-425C-B067-E02C7D9E6A88}\RP467\A0035196.0ll -> Logger.VBStat.e : No action taken.
    C:\System Volume Information\_restore{28F2FB3A-021C-425C-B067-E02C7D9E6A88}\RP467\A0035197.0ll -> Logger.VBStat.e : No action taken.
    C:\System Volume Information\_restore{28F2FB3A-021C-425C-B067-E02C7D9E6A88}\RP467\A0035198.0ll -> Logger.VBStat.e : No action taken.
    C:\System Volume Information\_restore{28F2FB3A-021C-425C-B067-E02C7D9E6A88}\RP467\A0035199.0ll -> Logger.VBStat.e : No action taken.
    C:\System Volume Information\_restore{28F2FB3A-021C-425C-B067-E02C7D9E6A88}\RP467\A0035200.0ll -> Logger.VBStat.e : No action taken.
    C:\System Volume Information\_restore{28F2FB3A-021C-425C-B067-E02C7D9E6A88}\RP467\A0035201.0ll -> Logger.VBStat.e : No action taken.
    C:\System Volume Information\_restore{28F2FB3A-021C-425C-B067-E02C7D9E6A88}\RP467\A0035202.0ll -> Logger.VBStat.e : No action taken.
    C:\System Volume Information\_restore{28F2FB3A-021C-425C-B067-E02C7D9E6A88}\RP467\A0035203.0ll -> Logger.VBStat.e : No action taken.
    C:\System Volume Information\_restore{28F2FB3A-021C-425C-B067-E02C7D9E6A88}\RP467\A0035204.0ll -> Logger.VBStat.e : No action taken.
    C:\System Volume Information\_restore{28F2FB3A-021C-425C-B067-E02C7D9E6A88}\RP467\A0035205.0ll -> Logger.VBStat.e : No action taken.
    C:\WINDOWS\system32\anqdemtx.0ll -> Logger.VBStat.e : No action taken.
    C:\WINDOWS\system32\bjkfbhqq.0ll -> Logger.VBStat.e : No action taken.
    C:\WINDOWS\system32\bvaqpexc.0ll -> Logger.VBStat.e : No action taken.
    C:\WINDOWS\system32\bxpunkvq.0ll -> Logger.VBStat.e : No action taken.
    C:\WINDOWS\system32\dcbtsjdq.0ll -> Logger.VBStat.e : No action taken.
    C:\WINDOWS\system32\eifdsoww.0ll -> Logger.VBStat.e : No action taken.
    C:\WINDOWS\system32\gshtbwda.0ll -> Logger.VBStat.e : No action taken.
    C:\WINDOWS\system32\jmbjicgi.0ll -> Logger.VBStat.e : No action taken.
    C:\WINDOWS\system32\ncbrwvsy.0ll -> Logger.VBStat.e : No action taken.
    C:\WINDOWS\system32\ntvuufwv.0ll -> Logger.VBStat.e : No action taken.
    C:\WINDOWS\system32\rvjqxwnd.0ll -> Logger.VBStat.e : No action taken.
    C:\WINDOWS\system32\sdjxvxut.0ll -> Logger.VBStat.e : No action taken.
    C:\WINDOWS\system32\ssjesoov.0ll -> Logger.VBStat.e : No action taken.
    C:\WINDOWS\system32\tsnxqiqp.0ll -> Logger.VBStat.e : No action taken.
    C:\WINDOWS\system32\uoqvekwd.0ll -> Logger.VBStat.e : No action taken.
    C:\WINDOWS\system32\wgbrkeoe.0ll -> Logger.VBStat.e : No action taken.
    C:\WINDOWS\system32\wswhxcla.0ll -> Logger.VBStat.e : No action taken.
    C:\WINDOWS\system32\xhrtmjrg.0ll -> Logger.VBStat.e : No action taken.
    C:\WINDOWS\system32\xhtjtrgf.0ll -> Logger.VBStat.e : No action taken.
    C:\System Volume Information\_restore{28F2FB3A-021C-425C-B067-E02C7D9E6A88}\RP439\A0033478.0xe -> Not-A-Virus.Downloader.Win32.WinFixer.i : No action taken.
    C:\System Volume Information\_restore{28F2FB3A-021C-425C-B067-E02C7D9E6A88}\RP439\A0033481.0xe -> Not-A-Virus.Downloader.Win32.WinFixer.i : No action taken.
    C:\WINDOWS\system32\alhgqoyl.0xe -> Not-A-Virus.Downloader.Win32.WinFixer.i : No action taken.
    C:\WINDOWS\system32\uulxsbjw.0xe -> Not-A-Virus.Downloader.Win32.WinFixer.i : No action taken.
    C:\System Volume Information\_restore{28F2FB3A-021C-425C-B067-E02C7D9E6A88}\RP508\A0038974.exe -> Not-A-Virus.Downloader.Win32.WinFixer.r : No action taken.
    C:\VundoFix Backups\wkdsbejy.exe.bad -> Not-A-Virus.Downloader.Win32.WinFixer.r : No action taken.
    :mozilla.14:C:\Documents and Settings\Esa\Application Data\Mozilla\Firefox\Profiles\zl0dddn4.Oletuskäyttäjä\cookies.txt -> TrackingCookie.Doubleclick : No action taken.
    :mozilla.48:C:\Documents and Settings\Esa\Application Data\Mozilla\Firefox\Profiles\zl0dddn4.Oletuskäyttäjä\cookies.txt -> TrackingCookie.Mediaplex : No action taken.
    C:\Documents and Settings\Esa\Cookies\esa@stats1.reliablestats[2].txt -> TrackingCookie.Reliablestats : No action taken.
    :mozilla.43:C:\Documents and Settings\Esa\Application Data\Mozilla\Firefox\Profiles\zl0dddn4.Oletuskäyttäjä\cookies.txt -> TrackingCookie.Serving-sys : No action taken.
    :mozilla.44:C:\Documents and Settings\Esa\Application Data\Mozilla\Firefox\Profiles\zl0dddn4.Oletuskäyttäjä\cookies.txt -> TrackingCookie.Serving-sys : No action taken.
    :mozilla.45:C:\Documents and Settings\Esa\Application Data\Mozilla\Firefox\Profiles\zl0dddn4.Oletuskäyttäjä\cookies.txt -> TrackingCookie.Serving-sys : No action taken.
    :mozilla.46:C:\Documents and Settings\Esa\Application Data\Mozilla\Firefox\Profiles\zl0dddn4.Oletuskäyttäjä\cookies.txt -> TrackingCookie.Serving-sys : No action taken.
    :mozilla.47:C:\Documents and Settings\Esa\Application Data\Mozilla\Firefox\Profiles\zl0dddn4.Oletuskäyttäjä\cookies.txt -> TrackingCookie.Serving-sys : No action taken.
    C:\WINDOWS\system32\drivers\DP.0ys -> Trojan.Agent.ny : No action taken.
    C:\WINDOWS\system32\tajgnecg.0xe -> Trojan.Agent.ny : No action taken.
    C:\WINDOWS\system32\xnqfqlmw.0xe -> Trojan.Agent.ny : No action taken.
    C:\System Volume Information\_restore{28F2FB3A-021C-425C-B067-E02C7D9E6A88}\RP461\A0034902.0ll -> Trojan.BHO.g : No action taken.
    C:\System Volume Information\_restore{28F2FB3A-021C-425C-B067-E02C7D9E6A88}\RP479\A0036666.0ll -> Trojan.BHO.g : No action taken.
    C:\WINDOWS\system32\itcjnemt.0ll -> Trojan.BHO.g : No action taken.
    C:\System Volume Information\_restore{28F2FB3A-021C-425C-B067-E02C7D9E6A88}\RP439\A0033479.0xe -> Trojan.Small.ju : No action taken.
    C:\System Volume Information\_restore{28F2FB3A-021C-425C-B067-E02C7D9E6A88}\RP439\A0033480.0xe -> Trojan.Small.ju : No action taken.
    C:\System Volume Information\_restore{28F2FB3A-021C-425C-B067-E02C7D9E6A88}\RP439\A0033482.0xe -> Trojan.Small.ju : No action taken.
    C:\WINDOWS\system32\ewncyxoa.0xe -> Trojan.Small.ju : No action taken.
    C:\WINDOWS\system32\pvsuxoqh.0xe -> Trojan.Small.ju : No action taken.
    C:\WINDOWS\system32\wjrpimge.0xe -> Trojan.Small.ju : No action taken.


    ::Report end

     
    Esa84, 02.11.2006
    #13
  15. Daniii

    Daniii Regular member

    Liittynyt:
    11.05.2006
    Viestejä:
    120
    Kiitokset:
    0
    Pisteet:
    26
    Ewido löysi kyllä haittaohjelmia mutta sulla ei ollut asetus päällä että se poistais ne. Katsoppas ohjeet uudestaan ja kiinnitä huomiota kohtaa jossa se asetus määritetään.

    Valitse ensin Settings-välilehden. Tämä kohta vaatii erityistä huomiota! Aseta asetukset kuvan ja tekstin mukaisesti!


    1. How to act: Oletuksena tässä kohdassa on "Recommended actions", joilloin ohjelma poistaa vain kriittiset haittaohjelmat. Klikkaa kohta ja muuta se "Quarantine", näin ollen ewido/AVG poistaa kaikki sen löydöt ja siirtää ne myös karanteeniin! Karanteenista voidaan tiedostot vielä palauttaa mikäli ewido/AVG on poistanut väärän positiivisen!

    Eli tee tuo ja aja scan uudestaan ja lähetä uusi logi.
     
    Daniii, 02.11.2006
    #14
  16. Esa84

    Esa84 Member

    Liittynyt:
    31.10.2006
    Viestejä:
    12
    Kiitokset:
    0
    Pisteet:
    11
    niih. Mokasin etten heti tajunnu muuttaa sitä asetusta. Mut laitoin kyllä manuaalisesti scannauksen jälkeen kaikki karanteeniin ja siellä nuo näkyy olevan. Nyt on myös oletus asetukset silleen niiku ohje neuvoo. Mutta kyllä tämä tästä on iloks muuttunu :) Kone pelaa ihan eri lailla ku ennen! Vielä kerran kiitokset suuresta avusta.
     
    Esa84, 02.11.2006
    #15
  17. Daniii

    Daniii Regular member

    Liittynyt:
    11.05.2006
    Viestejä:
    120
    Kiitokset:
    0
    Pisteet:
    26
    Joo sen takia oli vähän pitkät ohjeet että varmistuttiin että kone on varmasti puhdas eikä 2viikon päästä taas saastunut, mutta hyvä jos pelaa nyt paremmin :)
     
    Daniii, 02.11.2006
    #16
Viestiketjun tila:
Viestiketju on suljettu.

Jaa tämä sivu